Changeset 2794 for TI05-delivery


Ignore:
Timestamp:
09/08/07 16:29:39 (12 years ago)
Author:
pjkersha
Message:

ows_server/ndgDiscovery.config:

  • swapped saturn host for localhost
  • acIssuerName becomes acIssuer - the expected DN of cert used with AC

signature

ows_server/ows_server/models/ndgSecurity.py: changes to Gatekeeper ...

  • fixed setting of tracefile config item
  • added acIssuer read which was missing
  • user application based certs for SM authentication rather than user proxy

cert - is much more straightforward

  • Nb. TODO fix hard-wired setting of AA address. This is in place because

the current AA address in the data is wrong.

  • put in place check of AC's issuer DN - should match acIssuer in config file

ows_server/ows_server/controllers/login.py:

makes query string for HTTP GET back to service provider

  • removed wss* keys from session security items - not needed

ows_server/ows_server/lib/security_util.py: new module to bring together all
code for handling of args over LoginService? interface together into one
place.

provider

session object.

ows_server/ows_server/lib/base.py:

args from login's HTTP GET setting them in the session object.

before redirect

ows_server/ows_server/templates/login.kid:

consistency with other code.

Location:
TI05-delivery/ows_framework/trunk/ows_server
Files:
1 added
5 edited

Legend:

Unmodified
Added
Removed
  • TI05-delivery/ows_framework/trunk/ows_server/ndgDiscovery.config

    r2781 r2794  
    1010# 
    1111# the following is the server on which this browse/discovery instance runs! 
    12 server:         http://saturn.badc.rl.ac.uk:8080 
     12server:         http://localhost:8080 
    1313# 
    1414# the following is the server on which the NDG discovery service is running! (Not to be confused with 
     
    2727mailserver:       outbox.rl.ac.uk 
    2828metadataMaintainer: b.n.lawrence@rl.ac.uk 
    29 repository:       http://saturn.badc.rl.ac.uk:8080 
     29repository:       http://localhost:8080 
    3030 
    3131 
     
    131131# Space separated list of CA cert. files to validate certs against when 
    132132# verifying responses 
    133 wssCACertFilePathList = secpem/cacert.pem 
     133wssCACertFilePathList: secpem/cacert.pem 
    134134 
    135135# SSL Connections 
     
    145145#sslPeerCertCN:  
    146146 
    147 # Attribute Certificate  
    148 # Issuer name - should match with name element specified in  
    149 # home Attribute Authority attAuthorityProperties.xml 
    150 acIssuerName: BADC 
     147# Gatekeeper Attribute Certificate check 
     148# Issuer - should match with the issuer element of the users Attribute 
     149# Certificate submitted in order to gain access 
     150acIssuer: /CN=AttributeAuthority/O=NDG/OU=BADC 
    151151 
    152152# verification of X.509 cert back to CA 
  • TI05-delivery/ows_framework/trunk/ows_server/ows_server/controllers/login.py

    r2784 r2794  
    11import sys 
     2from urlparse import urlparse 
     3 
    24from ows_server.lib.base import * 
     5from ows_server.lib.security_util import LoginServiceQuery 
    36from ows_common.exception_report import OwsError 
    47from paste.request import parse_querystring 
     
    132135        session['ndgSec']={'h':smURI, 
    133136                           'u':username, 
    134                            'r':attCert.roles, 
    135                            'sessID':sessID, 
    136                            'wssCertChain':wssCertChain, 
    137                            'wssPriKey':proxyPriKey} 
     137                           'roles':attCert.roles, 
     138                           'sid':sessID} 
    138139        session['panelView']='History' 
    139140        session.save() 
     
    147148        self.__securitySetup() 
    148149         
    149         #currently fudge this 
    150         #c.providers={'badc.nerc.ac.uk':g.server+'/login', 
    151         #                  'bodc.nerc.a.cuk':'NotImplemented'} 
    152          
    153          
     150        # TODO: check with Bryan what this is for 
     151        # P J Kershaw 09/08/07 
    154152        if 'roleNeeded' in self.inputs: 
    155153             
     
    194192            # is there a keyword on redirect_to that can make this https? See: 
    195193            # http://pylonshq.com/project/pylonshq/browser/Pylons/trunk/pylons/decorators/secure.py#L69 
    196             token='smURI=%s&sessID=%s&username=%s&roles=%s' % (session['ndgSec']['smURI'], 
    197                                                                session['ndgSec']['sessID'], 
    198                                                                session['ndgSec']['u'], 
    199                                                                session['ndgSec']['r']) 
    200             if '?' in c.returnTo: 
    201                 cc=c.returnTo+'&'+token 
    202             else: 
    203                 cc=c.returnTo+'?'+token 
     194 
     195            # Only add token if return URI is in a different domain 
     196            thisHostname = request.host.split(':')[0] 
     197            returnToHostname = urlparse(c.returnTo)[1] 
     198            cc=c.returnTo 
     199 
     200            if thisHostname not in returnToHostname: 
     201                if '?' in c.returnTo: 
     202                    cc+='&%s' % LoginServiceQuery() 
     203                else: 
     204                    cc+='?%s' % LoginServiceQuery() 
     205 
    204206            h.redirect_to(cc) 
    205207        else: 
  • TI05-delivery/ows_framework/trunk/ows_server/ows_server/lib/base.py

    r2791 r2794  
    88import ows_server.models as model 
    99import ows_server.lib.helpers as h 
    10  
     10from ows_server.lib.security_util import UpdateSecuritySession, \ 
     11                                        LoginServiceQuery 
    1112from ows_common import exceptions as OWS_E 
    1213from ows_common.operations_metadata import OperationsMetadata, Operation, RequestMethod 
     
    3031        # the action or route vars here 
    3132        c.requestURL=construct_url(environ) 
    32         if 'smURI' in request.params: 
    33             # TODO: get rid of eval - dangerous as attacker could sub in 
    34             # an arbitrary command 
    35             # 
    36             # P J Kershaw 08/08/07 
    37             session['ndgSec']={'h':request.params['smURI'], 
    38                            'u':request.params['username'], 
    39                            'r':eval(request.params['roles']), 
    40                            'sessID':request.params['sessID']} 
    41             
     33        if 'h' in request.params: 
     34            UpdateSecuritySession() 
     35             
    4236            if 'panelView' not in session: 
    4337                session['panelView']='History' 
     
    4539             
    4640            # TODO Make the redirect tidier ... 
    47             qs='' 
    48             for i in request.params: 
    49                 if i not in ['smURI','username','roles','sessID']:qs+='%s=%s&'%(i,request.params[i]) 
    50             if qs!='':qs=qs[:-1]  
     41            qs = LoginServiceQuery.stripFromURI() 
     42 
    5143            cc=construct_url(environ,querystring=qs) 
     44            raise "Base" 
    5245            h.redirect_to(cc) 
    5346 
  • TI05-delivery/ows_framework/trunk/ows_server/ows_server/models/ndgSecurity.py

    r2785 r2794  
     1import sys # tracefile config param may be set to e.g. sys.stderr 
     2 
    13from ows_common.exception_report import OwsError 
    24from pylons import request 
     
    3941        try: 
    4042            self.ndgCfg = request.environ['ndgConfig'] 
    41             self.tracefile = self.ndgCfg.get('NDG_SECURITY','tracefile',None) 
     43            self.tracefile = eval(self.ndgCfg.get('NDG_SECURITY', 
     44                                                  'tracefile', 
     45                                                  None)) 
    4246        except: 
    4347            raise OwsError('NDG Security not enabled') 
     
    6670            m='acCACertFilePathList' 
    6771            self.acCACertFilePathList = self.ndgCfg.get('NDG_SECURITY',m).split() 
    68                  
     72           
     73            m='acIssuer' 
     74            self.acIssuer = self.ndgCfg.get('NDG_SECURITY',m) 
     75             
    6976        except AttributeError: 
    7077            raise OwsError, 'NDG Security Error: No %s'%m 
     
    7279        # Create Session Manager client 
    7380        self.smClnt = SessionMgrClient(uri=self.securityTokens['h'], 
    74                         sslCACertFilePathList=self.sslCACertFilePathList, 
    75                         sslPeerCertCN=self.sslPeerCertCN, 
    76                         signingCertChain=securityTokens.get('wssCertChain'), 
    77                         signingCertFilePath=self.wssCertFilePath, 
    78                         signingPriKeyFilePath=self.wssPriKeyFilePath, 
    79                         signingPriKeyPwd=self.wssPriKeyPwd, 
    80                         caCertFilePathList=self.wssCACertFilePathList, 
    81                         tracefile=self.tracefile)        
    82  
    83         # Fix WS-Security BinarySecurityToken Value Type for the passing of a  
    84         # cert chain - required for use with proxy cert. 
    85         #if wssCertChain: 
    86         #    self.smClnt.signatureHandler.reqBinSecTokValType = 'X509PKIPathv1' 
     81                            sslCACertFilePathList=self.sslCACertFilePathList, 
     82                            sslPeerCertCN=self.sslPeerCertCN, 
     83                            signingCertFilePath=self.wssCertFilePath, 
     84                            signingPriKeyFilePath=self.wssPriKeyFilePath, 
     85                            signingPriKeyPwd=self.wssPriKeyPwd, 
     86                            caCertFilePathList=self.wssCACertFilePathList, 
     87                            tracefile=self.tracefile)        
    8788 
    8889 
     
    140141            # Make request for attribute certificate 
    141142            # 
    142             # sessID is needed if proxy cert is unavailable as ID 
    143  
     143            # TODO: correct hard-wired setting of AA address.  This is in  
     144            # place until the final AA URI in the dataset is agreed. 
     145            # 
     146            # P J Kershaw 08/08/07 
     147            self.reqAAURI="http://glue.badc.rl.ac.uk/services/ndg/security/AttributeAuthority" 
    144148            attCert = self.smClnt.getAttCert(attAuthorityURI=self.reqAAURI, 
    145                                      sessID=self.securityTokens.get('sessID'), 
     149                                     sessID=self.securityTokens['sessID'], 
    146150                                     reqRole=self.reqRole) 
    147151 
     
    149153            # TODO: write exception to log 
    150154            return False, self.__class__.AccessDeniedMsg 
    151          
     155        except Exception, e: 
     156            raise OwsError, "Gatekeeper request for attribute certificate: "+\ 
     157                            str(e) 
     158                             
    152159        # Check attribute certificate is valid 
    153160        attCert.certFilePathList = self.acCACertFilePathList 
     
    155162             
    156163        # Check it's issuer is as expected 
    157         if attCert.issuerName != self.acIssuerName: 
    158             raise OwsError, "Attribute Certificate issuer must match " + \ 
    159                 "this data provider's Attribute Authority name id" 
     164        if attCert.issuer != self.acIssuer: 
     165            raise OwsError, \ 
     166                'Attribute Certificate issuer DN, "%s"' % attCert.issuer + \ 
     167                'must match this data provider\'s Attribute Authority ' + \ 
     168                'DN: "%s"' % self.acIssuer 
    160169                        
    161170        return True, self.__class__.AccessAllowedMsg 
  • TI05-delivery/ows_framework/trunk/ows_server/ows_server/templates/login.kid

    r2748 r2794  
    5353                        <!--! now we choose one of the next two (logged in or not) --> 
    5454                        <div py:if="'ndgSec' in session"><table><tbody><tr><td> User [${session['ndgSec']['u']}] logged in 
    55                         at [${session['ndgSec']['h']}] with roles [${session['ndgSec']['r']}]</td><td> 
     55                        at [${session['ndgSec']['h']}] with roles [${session['ndgSec']['roles']}]</td><td> 
    5656                        &nbsp;<span py:replace="logOut()"/></td></tr></tbody></table></div> 
    5757                        <div py:if="'ndgSec' not in session"></div> 
Note: See TracChangeset for help on using the changeset viewer.